Overview

overview

10

Static

static

e2553192a2...91.exe

windows7-x64

10

e2553192a2...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2553192a24ce7cc856c29e3d82c221b3dcbdc2b2e605342aa80c434328c9e91.exe

  • Size

    111KB

  • MD5

    5b610a9e433377509bfba253b70ad4b4

  • SHA1

    600fed6e8874fa2980570810aca4368f6865e9a7

  • SHA256

    e2553192a24ce7cc856c29e3d82c221b3dcbdc2b2e605342aa80c434328c9e91

  • SHA512

    1731e1934cc3304910f5791454be4a9867b8b0c0113003d7a674e719b6755d89c2ecc80abdbf6092ac5add95801205e1bce4ffed8cfe52341f39fe1b82bdaf66

  • SSDEEP

    1536:tI2Ke+YcGCvhmP/+IL4huyCjMbxObKR29aZMT0bnonql4TrCqrkHck:tIiLcmP/+IEgy0MbxObVEMT07i2uk

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2553192a24ce7cc856c29e3d82c221b3dcbdc2b2e605342aa80c434328c9e91.exe
    "C:\Users\Admin\AppData\Local\Temp\e2553192a24ce7cc856c29e3d82c221b3dcbdc2b2e605342aa80c434328c9e91.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://dreamcrydc.blog.163.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f5900dc03f86f3eed449588066a4dd97

    SHA1

    376eb75802dc9a610de5675b700d1231669faaf6

    SHA256

    7235e3fed65aac13b968d2363690155bff14fd0cb9aa4b459858663c693c73bc

    SHA512

    53141f1e583e107001c8bf5dd2ee69880078d3f4fa0acf81eb022210a6117f4e9c6ed97e222a62fd1a9d71b3430eb79c1748d2198aba7e59c8eb72bfe0812c09

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5GRV5CKA.txt
    Filesize

    601B

    MD5

    878bad3cd716cb4acecf4601b4245721

    SHA1

    99667a59827083c387a4329a1bd265884282c5c4

    SHA256

    1d4a56f546881854f20746f918fc89c9416052c3abf9fb1e4f4b7f09bcd3691e

    SHA512

    5e21ef588d33208e17de27df01f7b36b2979cf9295f1b403dfc0c9f3e2c1f27710d47e46e27adffc49099ee6a58907bf9937f1f87c16e90af10b82e630db42b2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DIIUMMAU.txt
    Filesize

    90B

    MD5

    1abfa33933b943f08f568351ce88782a

    SHA1

    d96f729a2000bf1c26ffb7b8888ad100e0252098

    SHA256

    78bca1019ff25ce782d92ad8c531841b49ab43caa2e073d36eb92ed7e47a3152

    SHA512

    a8c274fa3a3d453681c77045500a880cb390eaf0a0c637abf174999bb48ebf4339f5c44e06b76ef89a0967f4e0da71904d5e3d6e3a7d42c6219640f6a0ebf2f0

    Download Submit
  • memory/1212-54-0x0000000074F01000-0x0000000074F03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1212-55-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1212-57-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1212-58-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1212-59-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download